Why Security Techniques Need To Evolve As Fast As Hackers

This year, at the annual DEF CON conference for hackers — the largest of its kind in the U.S. — an 11-year-old made headlines when he managed to hack a highly accurate replica of Florida’s election website in less than 10 minutes.

And that was only half the bad news — the other half was that it was an 11-year-old who did the hacking, and an adult hacker would simply be insulted by the task.

“These websites are so easy to hack that we couldn’t give them to adult hackers — they’d be laughed off the stage,” said Jake Braun, a former White House liaison for the Department of Homeland Security, in an interview with ABC News.

And the bad news of impressive feats in hacking have been pouring out of various hacking professional conferences all summer long. A research team at the Black Hat conference managed to trick voice recognition software from Microsoft by convincing it a machine voice was human.

And it wasn’t just the hack — it was how accessible and essentially easy it was to perform. John Seymour, a Salesforce senior data scientist, and Azeem Aqil, a Salesforce software engineer, didn’t just want to hack voice recognition — they wanted to “break voice authentication with minimal effort.”

“By breaking, we mean gaining access by impersonation. By minimal effort, we mean it shouldn’t require tons of computing — think desktop rather than server farm. It should finish in a reasonable time. And it should require little or no data science expertise,” Aqil told PC Magazine.

The team did manage — though calling how they did it “minimal effort” is notably a bit of an abuse of the English language.

But easy or not — as  Brett Beranek says —  if there are ways to use a combination of data scraping and sound editing to convincingly and consistently fool voice-controlled systems like Cortana, Alexa or the Google Assistant, cybercriminals are going refine them — and quickly. Analysts estimate that over half (55 percent) of American households will be regularly interacting with voice-activated assistants by the year 2025. Hackers love nothing more than a target-rich environment.

But while the hackers can and will come, Beranek says, we can get better about spotting them.  Because when it comes to trying to spoof a biometric like voice, it’s not just about what the customer says that can give them away.

It is also possible to have technology really “listen” to how they say it.